Velocity — Privacy Policy
Last updated: 2026-04-23
DRAFT — REVIEW BY LICENSED COUNSEL BEFORE PRODUCTION USE. This policy is a comprehensive starting point, not legal advice. Requirements vary by jurisdiction.
This Privacy Policy ("Policy") describes how Andiamo LLC ("Andiamo," "we," "us," or "our") collects, uses, shares, and protects information about you when you use the Velocity service, including the website at https://velocity.andiamo.tech, associated mobile interfaces, and all related APIs and integrations (collectively, the "Service").
By creating an account, signing in, or otherwise using the Service, you acknowledge that you have read and understand this Policy.
1. Definitions
- "Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to a particular individual or household.
- "Processing" means any operation performed on Personal Information, including collection, recording, storage, use, disclosure, transmission, or deletion.
- "Sub-processor" means a third-party processor engaged by us to process Personal Information on our behalf.
- "Service Provider" and "Controller" have the meanings given under applicable data-protection law (e.g., GDPR, CCPA/CPRA).
2. Information we collect
2.1 Information you provide directly
- Account information. Email address, display name, password (stored only as a hashed value), and, where applicable, authentication-provider identifiers (e.g., Microsoft Entra External ID subject claim, Keycloak subject).
- Profile information. Optional bio, avatar, linked social handles, default region, and notification preferences.
- Content you submit. Tracked items, watchlists, alerts, comments, saved searches, and any files or links you upload or attach.
- Payment information. If you purchase a paid subscription, Stripe processes your payment. Stripe returns to us a tokenized reference, the last four digits of your card, brand, expiration month and year, and billing country. We do not receive or store your full primary account number (PAN).
- Support communications. Information you provide when you contact support, submit feedback, or respond to surveys.
2.2 Information collected automatically
- Usage information. Pages viewed, features used, links clicked, requests made, timestamps, HTTP referrers, session identifiers, and approximate dwell time.
- Device information. IP address, browser type and version, operating system, device type, language preference, and screen resolution.
- Location information. When you explicitly provide a region or enable a location-aware feature (e.g., regional emergency feeds), we collect the approximate coordinates you provide. We do not passively track your precise geolocation.
- Cookies and similar technologies. We use first-party cookies for authentication, session persistence, fraud prevention, and preference storage. See our Cookie Policy for the full inventory, including lifespans and opt-out mechanisms.
2.3 Information from third parties
- Authentication providers (e.g., Microsoft Entra External ID) may share your email, display name, and verified-email status as part of a sign-in flow you initiate.
- Feed sources. Public feed content (RSS, emergency alerts, government data) is not Personal Information about you, but your interactions with that content (likes, dwells, saves) are.
3. How we use information
We process Personal Information for the following purposes and lawful bases (where GDPR applies):
| Purpose | Examples | Lawful basis (GDPR) |
|---|---|---|
| Provide the Service | Authentication, feed delivery, watchlists, alerts | Contract |
| Security and fraud prevention | Abuse detection, account-takeover protection, rate limiting | Legitimate interests |
| Billing and taxation | Subscription processing, receipts, tax records | Contract; Legal obligation |
| Transactional communications | Password resets, subscription notices, alerts you configured | Contract |
| Product improvement | Aggregate analytics, A/B tests, error diagnostics | Legitimate interests |
| Compliance and legal response | Responding to lawful requests, enforcing Terms | Legal obligation; Legitimate interests |
| Marketing communications (optional) | Product updates, newsletters — opt-in only | Consent |
We do not sell your Personal Information. We do not use your content to train general-purpose AI models without your explicit, affirmative consent.
4. How we share information
4.1 Sub-processors
We engage the following categories of Sub-processors, each bound by a written data-processing agreement with confidentiality, security, and onward-transfer restrictions:
| Sub-processor | Role | Location |
|---|---|---|
| Microsoft Azure | Hosting, databases, storage | United States |
| Stripe, Inc. | Payment processing, subscription billing | United States |
| Postmark (ActiveCampaign) | Transactional email | United States |
| Microsoft Entra External ID | Authentication (optional) | United States / EU |
| Keycloak (self-hosted) | Authentication (alternate) | United States |
| Azure Application Insights | Error reporting, performance telemetry | United States |
4.2 Legal and safety disclosures
We may disclose Personal Information when we have a good-faith belief that disclosure is required to (a) comply with a subpoena, court order, or other legal process, (b) enforce our Terms of Service, (c) protect the rights, property, or safety of Andiamo, our users, or the public, or (d) investigate fraud or security incidents.
4.3 Corporate transactions
In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our assets, Personal Information may be transferred to the acquiring entity. We will notify affected users by email or in-product notice before the transfer becomes effective.
4.4 With your consent
We may share Personal Information with other parties with your explicit, affirmative consent, which you may withdraw at any time.
5. Your rights
Depending on where you live, you may have the following rights. To exercise any of them, email support@andiamo.tech from the address associated with your account. We will respond within the period required by applicable law (generally 30–45 days).
- Right of access. Receive a copy of the Personal Information we hold about you.
- Right to rectification. Request correction of inaccurate or incomplete information.
- Right to erasure ("right to be forgotten"). Request deletion of your Personal Information, subject to legal retention requirements.
- Right to data portability. Receive your information in a structured, commonly used, machine-readable format.
- Right to restrict processing. Ask us to limit how we use your information.
- Right to object. Object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent. Where we rely on consent, withdraw it at any time (without affecting prior lawful processing).
5.1 EU / UK / EEA residents (GDPR)
Our lawful bases for processing are listed in Section 3. You have the right to lodge a complaint with your supervisory authority. We do not rely on automated decision-making with legal or similarly significant effects.
5.2 California residents (CCPA / CPRA)
- We collect the categories of Personal Information described in Section 2.
- We do not sell or share Personal Information as those terms are defined under the CCPA/CPRA.
- You have the rights to know, delete, correct, limit use of sensitive Personal Information, and to opt out of sale/sharing.
- You may designate an authorized agent to make a request on your behalf (subject to verification).
5.3 Washington residents (My Health My Data Act — RCW 19.373)
The Washington My Health My Data Act defines "consumer health data" broadly to include information linked or linkable to a consumer that identifies past, present, or future physical or mental health status, including data inferred from precise location or online behavior.
Although Velocity is not a health service, in limited circumstances — for example, when an opted-in user provides an approximate location together with engagement signals involving health-related emergency alerts or public-health feeds — the combination of data we process could constitute "consumer health data" under the Act.
For Washington residents, we:
- Obtain opt-in consent for any collection that could reasonably be characterized as consumer health data.
- Do not sell consumer health data. We will not sell it without obtaining a separate written authorization that meets the requirements of RCW 19.373.070.
- Do not implement any geofence within 2,000 feet of a healthcare facility for advertising, identification, or messaging.
- Honor right-to-delete requests for consumer health data within thirty (30) days of a verified request.
Washington residents may bring a private right of action for violations under the Washington Consumer Protection Act (RCW 19.86).
5.4 Other U.S. state laws
Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and other states with comprehensive privacy laws have substantively similar rights; we honor those rights as required by the applicable law.
6. Retention
- Active accounts: We retain Personal Information while your account is active.
- Deleted accounts: Upon account deletion, we purge Personal Information within 30 days, subject to the exceptions below.
- Financial records (invoices, tax documentation): retained for seven (7) years to meet tax and accounting obligations.
- Security and abuse records: retained for up to two (2) years to support investigations and defend claims.
- Aggregate or de-identified data: may be retained indefinitely provided it cannot reasonably be used to re-identify you.
7. Security
We implement administrative, technical, and physical safeguards designed to protect Personal Information, including:
- TLS 1.2+ encryption for all data in transit.
- Encryption at rest for primary databases and backups.
- Role-based access controls, least-privilege principles, and periodic access reviews.
- Multi-factor authentication for administrative access.
- Secret rotation, dependency scanning, and periodic security reviews.
- Audit logging and anomaly detection for privileged actions.
No security program is perfect. In the event of a breach affecting your Personal Information, we will notify you without undue delay and in accordance with applicable law.
8. International data transfers
We host primarily in the United States. If you access the Service from outside the United States, your Personal Information will be transferred to, stored in, and processed in the United States (and potentially other countries where our Sub-processors operate). Where required (e.g., transfers from the EEA), we rely on Standard Contractual Clauses and supplementary measures.
9. Automated decision-making and AI
Velocity applies algorithmic scoring (the "Velocity Score") to feed content. These scores are content scores, not personal profiling. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. AI features that personalize your feed use only your own declared preferences and interactions.
10. Children
The Service is not directed to children under 13, and we do not knowingly collect Personal Information from children under 13. If you are a parent or guardian and believe your child has provided us with information, email support@andiamo.tech and we will promptly delete it.
10A. Commercial email (Washington RCW 19.190 — CEMA)
If you opt in to marketing email from Velocity, we comply with the Washington Commercial Electronic Mail Act (RCW 19.190). We use truthful "From" and "Subject" lines, maintain functional unsubscribe links, include a valid physical address, and honor opt-outs promptly. Marketing opt-in is always separate from your acceptance of these Terms and the Privacy Policy.
11. Cookies and tracking
See our separate Cookie Policy for a full inventory of cookies, their purposes, durations, and opt-out mechanisms. We honor Global Privacy Control (GPC) browser signals as a valid opt-out for data "sale" or "sharing" under CCPA/CPRA.
12. Do Not Track
Our Service does not respond to browser "Do Not Track" signals (there is no consensus standard). We do respond to GPC signals as noted above.
13. Changes to this Policy
We may update this Policy from time to time. We will post the updated Policy here with a new "Last updated" date. Material changes will be announced at least thirty (30) days in advance via email (to the address on your account) or conspicuous in-product notice. Continued use after the effective date constitutes acceptance of the updated Policy.
14. Data Protection Officer and contact
- Privacy inquiries and data-subject requests: support@andiamo.tech
- Postal address: Andiamo LLC, Skagit Valley, Washington, United States
- EU / UK representative: to be designated prior to EU/UK rollout
If you are not satisfied with our response, you may contact your local data-protection authority.